XSSDetect Public Beta now Available!

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It's very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.

XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code. 

Here's a screenshot:

XSSDetect

While the functionality may seem straight forward, many years of research and hard work have gone into making XSSDetect a reality.  XSSDetect is a stripped down version of our enterprise ready Code Analysis Tool for .NET code bases (CAT.NET for short).  CAT.NET adds such features as VSTF integration, centralized reporting using web services, customized rulesets and filters, integration with FXCop and MSBUILD as well as the ability to run from the command line to integrate with your build processes (or if you're just old school and rock it like that ;)   

XSSDetect is currently in beta so we welcome your feedback!  This current version of the beta will expire after 60 days.  To send us your feedback, we encourage you to leave comments below or contact us via the 'Email' link above. 

Click here to DOWNLOAD now!

Comments

  • Anonymous
    October 22, 2007
    Can this be integrated into FXCop?
  • Anonymous
    October 22, 2007
    I've talked about threat modeling being one part of the overall information security puzzle... there
  • Anonymous
    October 22, 2007
    Las técnicas de XSS (Cross Site Scripting) son de las mas frecuentes junto con otras viejas amigas. Microsoft
  • Anonymous
    October 22, 2007
    I've talked about threat modeling being one part of the overall information security puzzle... there
  • Anonymous
    October 22, 2007
    Good News anyway.
  • Anonymous
    October 22, 2007
    MS ダウンロードセンターより。 XSS Detect Beta Code Analysis Tool Version: 1.0Date Published:
  • Anonymous
    October 22, 2007
    I think this tool require prior installation of Visual Studio 2005. Do you have any plans to give this tool as seperate exe where one can run on any set of .aspx files. I think if you remove dependency more people tend to use the tools and also you can expect good feedback.
  • Anonymous
    October 23, 2007
    Is "CAT .NET" different from FxCop, and if so is it currently available for evaluation or use?
  • Anonymous
    October 23, 2007
    Will this work with VS 2008?
  • Anonymous
    October 23, 2007
    XSSDetect is available for download now. It's tool which helps identify Cross Site Scripting Vulnerabilities
  • Anonymous
    October 23, 2007
    En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål
  • Anonymous
    October 23, 2007
    En beta-version av ett nytt verktyg är släppt för att upptäcka om man eventuellt har några säkerhetshål
  • Anonymous
    October 23, 2007
    On a 2 GB machine I got an OutOfMemoryException on several large solutions where I tried this tool. The tool also doesn't seem to detect XSS issues when <%= variable %> is used in an .aspx file. Can you give some info on exactly what methods of input and output the tool checks, it's capabilities and limitations?
  • Anonymous
    October 23, 2007
    Great news, I was looking for something like that for a long time..
  • Anonymous
    October 23, 2007
    Hi, my name is Hassan Khan. I work for the ACE Engineering Team, which is a part of the ACE (Application
  • Anonymous
    October 23, 2007
    The comment has been removed
  • Anonymous
    October 23, 2007
    The comment has been removed
  • Anonymous
    October 24, 2007
    Thanks for the hard work on this tool! I get an "License missing or expired" error when I try to run the tool in VS 2005 Team System. Any clues?
  • Anonymous
    October 24, 2007
    The comment has been removed
  • Anonymous
    October 24, 2007
    Hi Folks,Please keep the questions coming!  We're working on a FAQ blog post to answer all of the questions that are posted here.Thanks,ACE Team
  • Anonymous
    October 24, 2007
    The comment has been removed
  • Anonymous
    October 24, 2007
    The only output from this tool is the error message, "License missing or expired". What license? Windows is licensed. Visual Studio 2005 Pro is licensed. What else do I have do buy to use this tool?
  • Anonymous
    October 24, 2007
    This is definitely one tool you should be trying if you're writing web apps with Visual Studio. Cross-site
  • Anonymous
    October 24, 2007
    The comment has been removed
  • Anonymous
    October 24, 2007
    I wasn't sure what the problem was with the License missing, so I uninstalled the product and tried it on another OS (Win 2003 x86) and it worked fine. I then went back to try to re-install it on my Vista Business x64 and now I get an unexpected error 2869 -- problem with the package every time. What could be causing the problem with not being able to re-install the tool?
  • Anonymous
    October 24, 2007
    Sorry.. I can't see the answer where is?
  • Anonymous
    October 24, 2007
    Strange stuff; I wanted to run it over the Subtext code base; but I get out of memory errors very very quickly, despite the estimate in the Output Window of only needing 96Mb.So what's the best way to generate some debugging feedback for you guys?
  • Anonymous
    October 25, 2007
    The &quot;Ace&quot; team inside of Microsoft has kindly released a plug-in for Visual Studio called XSSDetect
  • Anonymous
    October 25, 2007
    Jeśli ktoś tworzy aplikacje internetowe w technologii ASP.NET, powinien zapoznać się z narzędziem XSSDetect.
  • Anonymous
    October 26, 2007
    The comment has been removed
  • Anonymous
    October 26, 2007
    So, I emailed using the blog email form but haven't heard back.  All XSSDetect seems good at doing for me is crashing VS 2005 sp1 every time I click analyze and no matter which assemblies (.net 2.0 or 1.1) I try to analyze.  I get a TargetInvocation Exception.I'm not using team system, just the regular VS 2005 from MSDN.  And I even reinstalled VS 2005 from scratch without any change.
  • Anonymous
    October 26, 2007
    Can XSSDetect be automated with ant/nant or with Team System?This is important from a SDL/SALSA perspective...
  • Anonymous
    October 28, 2007
    XSSDetect est un addin pour Visual Studio destiné à aider l'utilisateur à éliminer les problèmes d' XSS
  • Anonymous
    October 28, 2007
    I ran across a few interesting posts on the Application Consulting and Engineering (ACE) team's blog
  • Anonymous
    December 05, 2007
    The comment has been removed
  • Anonymous
    December 05, 2007
    The comment has been removed
  • Anonymous
    February 28, 2008
    Hi everyone, Bryan Sullivan here. Unless you’ve been living in an ice cave on the polar cap for the last
  • Anonymous
    May 01, 2008
    Hi everyone, Bryan here. I’m speaking at BlueHat today and tomorrow about some of my experiences as a